-
squirrelmail (2:1.4.15-4ubuntu0.4) jaunty-security; urgency=low
* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
restrictions and use SquirrelMail as a proxy to scan internal networks via
a modified POP3 port number.
- http://squirrelmail.org/security/issue/2010-06-21
- CVE-2010-1637
- Patch taken from upstream svn rev. 13951. Applied inline.
-- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:16:52 +0200
-
squirrelmail (2:1.4.15-4ubuntu0.3) jaunty-security; urgency=low
* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
forms submissions
* edited:
src/addrbook_search_html.php,src/addressbook.php,src/compose.php
src/folders_create.php,src/folders_delete.php,src/folders.php,
src/folders_rename_do.php,src/folders_rename_getname.php,
src/folders_subscribe.php,functions/forms.php,
functions/mailbox_display.php,src/move_messages.php,
src/options_highlight.php,src/options_identities.php,
src/options_order.php,src/options.php,src/search.php,
functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
- http://www.squirrelmail.org/security/issue/2009-08-12
- patches taken from upstream rev 13818
- patches applied inline
-- Leonel Nunez <email address hidden> Sat, 10 Oct 2009 19:30:41 -0600
-
squirrelmail (2:1.4.15-4ubuntu0.2) jaunty-security; urgency=low
* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- Fixes incomplete fix for CVE-2009-1579
- http://squirrelmail.org/security/issue/2009-05-10
- CVE-2009-1381
- Patch taken from upstream svn rev. 13733. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:39:55 +0200
-
squirrelmail (2:1.4.15-4ubuntu0.1) jaunty-security; urgency=low
* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://squirrelmail.org/security/issue/2009-05-08
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers.php. An issue was fixed
wherein input to the contrib/decrypt_headers.php script was not sanitized
and allowed arbitrary script execution upon submission of certain values.
- http://squirrelmail.org/security/issue/2009-05-09
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://squirrelmail.org/security/issue/2009-05-10
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://squirrelmail.org/security/issue/2009-05-11
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://squirrelmail.org/security/issue/2009-05-12
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:06:15 +0200
-
squirrelmail (2:1.4.15-4) unstable; urgency=high
* Address cross site scripting issue in the HTML filter
(CVE-2008-2379).
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 10 Dec 2008 07:13:44 +0000
-
squirrelmail (2:1.4.15-3) unstable; urgency=high
* Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)
squirrelmail (2:1.4.15-2) unstable; urgency=low
* Update fortune location to Debian's default, thanks
Richard Nelson, closes: #484835.
* Conforms to Debian policy 3.8.0, no changes required.
-- Michael Bienia <email address hidden> Wed, 08 Oct 2008 14:14:40 +0100
